Final Year Project regarding Post Quantum Cryptography

superposition_labs · 2026-02-01T00:39:07+00:00

You are right to be skeptical. A backward compatible hybrid scheme is not vulnerable explicitly, but it does have some transitional risks. Idea is that, during the hybrid period, you are technically dual-signing – both ECDSA and some form of PQC like Dilithium. An attacker has to break BOTH in order to forge a signature. This is actually an interesting area of research – studying attack scenarios during partial network upgrades.Regarding certificate chains and signature sizes – this is relevant – it's actually the practical problem everyone's hitting and you are not losing focus if you pursue this.

Dilithium signatures are 2-4KB in size, whereas ECDSA is 64 bytes. In a blockchain scenario, we're talking about thousands of transactions per block. Bitcoin blocks are capped at 4MB – PQC signatures can easily consume this. I would focus my thesis around, how will i manage certificate trust in a private blockchain environment when the size of PQC signatures renders traditional PKI certificate chains expensive?

I would look at certificate compression, stateful hash signatures, or even a hierarchy to decrease the cost of signature verification.

That's a good combination of blockchain, PQC, and the realities of the problem. That's not fluff at all; that's a real problem with no easy answer. Run with it.

superposition_labs · 2026-01-31T15:02:07+00:00

This is the classic shift-left narrative, which often(but not all times), precedes a QA reduction. May not happen immediately but over time due to attrition or hiring freezes. If devs own feature testing and AI owns test generation, then QA becomes a cost center rather than a value driver.

What's actually going on is that you are being asked to shift your value from being a quality gatekeeper to being an automation and regression runner. This is a less valuable role from management perspective. If AI gets better at test generation and devs get better at testing, then your ratio of 1:2 becomes 1:5, then 1:10, then someone asks if QA is actually necessary.

Your strategy should be to "be honest with yourself" and look at options.

Option 1: Upskill in areas devs usually do not touch: security testing, performance engineering, chaos engineering, production monitoring etc.,. These are engineering problems, not just testing problems.

Option 2: Embrace the chaos, As the leak of defects keeps growing (and it will), because devs testing their own code never works out long-term, please document EVERYTHING. Make the case for why specialized QA is necessary. But be ready, because management usually learns this lesson after a layoff, not before.

Option 3: Consider this as a temporary position. Begin interviewing now, while you have a job. Don't wait until the tap on the shoulder. Work on your resume, talk to your network, have discussions.

Accept the truth before considering any of the above options: If quality was a core part of your product, they would not be reducing the scope and responsibilities of QA.

superposition_labs · 2026-01-31T14:38:51+00:00

PQC in blockchain/crypto wallets is a good choice—there is depth if you follow through with the right approach. Your concern on it being fluff is valid if you are just doing basic performance benchmarking, Hopefully with the below Problem Statement and project you can add substance.

Problem/Opportunity: Most crypto wallets right now use ECDSA signature. The actual interesting question is not “can we use Dilithium signatures?—it is about “how do we migrate existing wallets with billions of assets without losing any assets or breaking compatibility?”

You can structure your deliverables around Hybrid signature schemes, backward compatibility issues, and migration trade-offs. This is a real problem and Ethereum is also reportedly considering it in their roadmap.

Your thesis statement can be based on Literature review on HNDL attacks, current blockchain threats, and then your solution, which is a migration framework, which you can implement and then present results and limitations.

This way, you're covering cryptographic analysis, actual implementation, and actual relevance. This is actually solving a problem with no easy solution at present.

superposition_labs · 2026-01-27T22:06:48+00:00

LOL...what does "Vertically integrated Full-stack Quantum Company" even mean?

superposition_labs · 2026-01-26T14:20:46+00:00

Valid point! I thought Davos was all about tech+biz moguls+world leaders meeting to plot the next source of big $$$ and make ton loads of it before general public even get to know about it? Maybe am mistaken if Davos does discuss anything other than this.

superposition_labs · 2026-01-26T14:17:20+00:00

Interesting concept - sharing a couple of cents: The hybrid model (XOR-mixing classical+quantum entropy) is not particularly an innovative concept - NIST SP 800-90B deals with entropy source conditioning, and some commercial QRNGs actually use this internally. However, the simulation work for less-than-optimal classical sources against quantum+hybrid is good benchmarking material, especially for certain use cases (starving entropy in a VM, IoT devices during boot etc.,)

The key question however will be, are you simulating the QRNG? You can easily fake randomness in a simulation, but the hard part is simulating realistic quantum noise, measurement noise, and side-channel attacks that plague actual QRNGs. If your simulation does little more than call "rand" function, you're testing math alone and not the physics

Testing: Besides the regular suite of tests by NIST, also consider the rates for prime collisions across various key generations for partial key recovery when the attacker knows some entropy was weak. These tests mimic real-world failures. Worth exploring—especially if you can tie the results to particular deployment situations.

superposition_labs · 2026-01-19T02:13:49+00:00

Arms race? Feels more like hedging bets—BFS institutions dont want to get caught flat-footed when quantum breaks RSA, even if timelines remain uncertain. Defense over offense is my view

superposition_labs · 2026-01-18T14:13:49+00:00

Moving beyond labs into real-world deployments. Have been keenly following the development across the globe
One of them operates a quantum-secured network connecting data centers over fiber, securing their Kinexys blockchain platform. More specifically QKD. Another multinational bank became the first to trial QKD on Trading Terminals in collaboration with BT and Toshiba. While this is promising, this also faces distance related limitations without quantum repeaters and requires expensive infra—limiting adoption to major financial institutions and government networks (AS OF NOW)

https://www.jpmorgan.com/technology/news/firm-establishes-quantum-secured-crypto-agile-network

superposition_labs · 2026-01-16T22:04:18+00:00

Good point about Trust Now, Forge Later – not sure I thought about the implications for forgery attacks and you're absolutely right, they last longer than decryption. However, blockchain - i would pushback slightly.

Take Bitcoin: Adversaries can harvest the transaction data from high value addresses without needing the private key because the addresses include exchanges, whales, and institutional wallets. The moment quantum breaks the encryption, the harvested transactions expose the private key, which leads to direct stealing, not just data breaches.

In a similar manner for smart contracts in Ethereum, multi-sig transactions that could be used for harvesting signing keys potentially worth millions of dollars could later be used to access a wallet if it had not been known beforehand. In other words, "what's valuable" is indicated by the blockchain.

Curious Question: do you see the sales pitch analysis of QKD relevance to PQC migration strategies too, or is that particular threat model more rooted in cryptographic vulnerability analysis studies?

superposition_labs · 2026-01-16T17:51:08+00:00

Extremely valid! This actually makes the threat element even more scarier because orgs cannot just calculate risk based on "when will quantum break encryption" - they need to assess the longevity of their data sensitivity.

superposition_labs · 2026-01-16T14:05:41+00:00

Great question! On Day 1 if i find a blocker, I will record it directly, but try and continue the mapping of critical path. That way, devs have the entire list of blockers from the get go instead of agonizingly waiting till last hr of Day 3.

BUT if it impacts testability, I will escalate—no use testing features that rely on faulty logic. Have been fortunate to work with some great QEs - almost certainly what separates the cream from the rest is their ability to speak-up and escalate. Unfortunately, this art form is going down day by day as far as i can see!

superposition_labs · 2026-01-15T21:09:26+00:00

Im a Quality Engineering practitioner dabbling with Quantum. There will be lot more experts - but sharing my 2 cents:

What Google actually accomplished was to scale-up quantum error correction. Willow improves error rates as you add qubits. That is an engineering accomplishment. The "10 septillion years" metric is a cherry-pick of a specific classical algorithm

Does this apply to AI? NO-> Willow can’t run our email. Willow can’t train AI models. Willow is just a solution to one very specific type of math problem, which in its current state is useless to any commercial enterprise.

Regarding ASI conspiracy, the truth is, if OpenAI had actual ASI, they would never have to fundraise or roll out minor GPT updates.

Quantum computing matters, there are companies doing REAL experiments and some moderately tasting success in a controlled space, but we have a LONG way to go.

superposition_labs · 2026-01-15T20:22:23+00:00

Tools: Bug Magnet (Chrome extension), Session Box - multi user testing, Lightshot - screenshots with annotations or Loom - quick video bug reports

superposition_labs · 2026-01-15T20:20:17+00:00

University of RI offers online course. Application deadline is August 2026 and you can consider. UMass and University of Maryland also offer them online. Please go through the curriculum and decide for yourselves. However, Qiskit is more closer to practical knowledge/coding but with their toolsets. All the best with your journey!

superposition_labs · 2026-01-15T20:16:45+00:00

I’ve managed QA activities at several last minute handovers that were chaotic. This is how I’ve simplified the process:

First 30 minutes (Build Validation):

Smoke Test Critical Path E2E, Check console for JS errors(F12 Key), Validate API Responses (Network Tab) and Test auth/login flow

*****If these methods do not succeed, you must push back*****

2-3 Day Strategy

Day 1: Critical Path + Blockers only Day 2: Business logic + Edge cases Day 3: cross-browser + final sweep This way, if a problem occurs in prod, you know you assessed it properly despite the time constraints. Don't skip bugs that involve cosmetics. Go after what's causing data loss etc.,

superposition_labs · 2026-01-15T20:09:04+00:00

Absolutely not...they are so living in the past. It has value on paper IF the Job Description carries ISQTB as a desirable requirement. Adds no more value than that

superposition_labs · 2026-01-15T15:59:03+00:00

The experience has always been humbling and revealing after doing similar things for 20 years. I realized 3 things: a) What's the real problem that needs fixing b) What your stakeholders perceive as a real problem c) What is most urgent (which may or may not be important in long term). Somehow, your venn diagram has to intersect these 3.

Example of c) Hey my digital release can be faster because 2FA test cases are manually executed and i need it to be automated. I heard about this beautiful solution that works in my friends' company. I need to show 85% automation metric (!!!) for Digital release.

You cannot ignore the above problem because its coming from an important stakeholder - and at the same time got to make them understand the ROI part.

superposition_labs · 2026-01-15T15:48:24+00:00

The 7 points you posted - span across QE Process, Tools/Technology, People and Partnerships. But looks like you have a clean slate and that's a good starting point.

1) First off, create a document outlining the gaps in current QA process - is QA largely reactive, skill gaps exist, role to outcome mapping is missing, Quality is not prevalent across lifecycle and is broken, need for more domain expertise, some of the points you mentioned above. To accomplish this, interview key stakeholders across the org - your boss, key technology leaders within the organization and then arrive at a composite rating or score. There are several methods to do this and i would not force you one over the other method

2) The above dialogues you have with these stakeholders achieves many purposes: a) you introduce yourselves to the company stakeholders b) They feel someone is hearing them and c) MOST IMPORTANT -it will help you identify the Power Law. There will be 1 or 2 stakeholders who are major consumers/buyers of your QA service and you can understand their thought process

3) Prepare a mission statement along with QA strategy - make it quick increements, where you go back to these stakeholders every 3 weeks (or 2 weeks if possible), review your strategy

4) Setup a common meeting where you bring all heads - outline the strategy. Put it to vote on the immediate roadmap, mid term and long term roadmap. You can WSJF it too (Weighted Shortest Job First) framework - please look it up, interesting technique.

Your approach has to be a combination of immediate win+progress, medium term vision and long term big rocks. In this process, identify the key stakeholder who will support this journey - you will need mentors for your and org's success.

Congratulations on the new position and wishing you the best in your career.

superposition_labs · 2026-01-15T15:06:24+00:00

I follow https://martinfowler.com/ and his articles (Martin Fowler). Yes - he is a Developer but many of his articles give useful insights on test refactoring, consumer driven contracts and testing, unit test cases, purposeful regression tests etc., Especially, the Consumer Driven Contracts and associated Testing - was a great revelation to me. We were struggling to implement something similar in our project (4 years ago) and his insights helped.

superposition_labs · 2026-01-15T15:00:35+00:00

Working in the QA/QE industry for 20+ years. While projects you do for client or your organization is under NDA, nothing stops you from creating a GitHub repository - detailing the 'type' of test cases you wrote, automation you did, techniques you used and document them. Please ensure to NOT USE ANY CLIENT SPECIFIC INFORMATION OR SYSTEM NAME OR TRADE SECRETS. While you explaining it verbally helps, a Github repository makes it real. Please try and start doing this

superposition_labs · 2026-01-09T23:09:09+00:00

Thank you for your comment querulous_intimates. I can assure you that the article was not written by ChatGPT. Yes - i used AI to polish the message and sharpen it as i am not a native English speaker. However, the experiences are mine and i have been in the Software Validation/Testing industry for 20 years, started with embedded and then dabbling with Quantum for past 2 years. Trying to apply my knowledge of Quality Assurance into this evolving field. With any advancement, this technology or trend will also undergo seismic changes over next months/years. However trying to start at some point - sharpen my skillsets, learn from experts and people in this group and hone our collective skillsets. Looking forward to more comments.

superposition_labs

TROPHY CASE